Re: [DNSOP] Security Considerations Suggestion for draft-ietf-dnsop-rfc7816bis
"Hollenbeck, Scott" <shollenbeck@verisign.com> Fri, 12 July 2019 18:38 UTC
Return-Path: <shollenbeck@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD0E312082B for <dnsop@ietfa.amsl.com>; Fri, 12 Jul 2019 11:38:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rLlUMRhCQJW8 for <dnsop@ietfa.amsl.com>; Fri, 12 Jul 2019 11:38:11 -0700 (PDT)
Received: from mail4.verisign.com (mail4.verisign.com [69.58.187.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 75187120828 for <dnsop@ietf.org>; Fri, 12 Jul 2019 11:38:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=7098; q=dns/txt; s=VRSN; t=1562956693; h=from:to:cc:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version:subject; bh=cac9DhFta/MhjSYARp9oiRnytvR9YvBxTZxcw5CzLgY=; b=MeLQmsw6dl9UlDiEynRkOWfgzfbG0kRkgIfewNh+O4wcvA2MS14CV78N yBerd/IcqUl5yCXQofJ1W+7QONYS00IpRSJM6TgqLpGRu10fW890f3c22 DX4rUWaeA1XqboQy0ZTqylxU8qXpI4Ulg8Yavbw6TcD3qFokBAFOAOPX8 kodftPYVDDX9sOvDONHVnJ1c/9I0xIvZQps4OxlrFHCae1MyELtqJJT8E J86g2awGkkq1Itfqgnfk8vBpWamb+WkZfYAcwXmtsT4eacYvA6/YLGSq1 X2lUDlVuWWGTAxnAFskSogoQhYc2Hbg9AO50XFaXcBpZzbm9ZDpi/h6j7 A==;
X-IronPort-AV: E=Sophos;i="5.63,483,1557201600"; d="scan'208";a="8016663"
IronPort-PHdr: 9a23:HUNQXh81u1DjAv9uRHKM819IXTAuvvDOBiVQ1KB20+4cTK2v8tzYMVDF4r011RmVBN+dtqoP0rCK+4nbGkU4qa6bt34DdJEeHzQksu4x2zIaPcieFEfgJ+TrZSFpVO5LVVti4m3peRMNQJW2aFLduGC94iAPERvjKwV1Ov71GonPhMiryuy+4ZLebxhWiDanYb5+MBq6oRjPusQZnIBvNrs/xhzVr3VSZu9Y33loJVWdnxb94se/4ptu+DlOtvwi6sBNT7z0c7w3QrJEAjsmNXs15NDwuhnYUQSP/HocXX4InRdOHgPI8Qv1Xpb1siv9q+p9xCyXNtD4QLwoRTiv6bpgRRn1gykFKjE56nnahMxugqxGvBKvqR9xw4DWb4GUKPVwcazScMgGRWVaXMZdSzBNDp++YoYJEuEPPfxYr474p1YWoxewBw6sBOfryjBWgH/5xrM13PgiEQ3ewQcuAs4BsHPIrNXpOqsZTOe4zLLIzTXEa/NW3Sny6I7TfR8/vf6MXql9cdTPxkk1FgPFlVSQqYPjPz+PyusNtG2b4vNmWOmyiGAnsxl8riWzyss2l4XEhIwYxkrZ+Sh5zos5P9K1RUpjbdK5DJdcrTyWOolqTs84Xm1ltyU3xqcbtZO4ZCQKxoooyh3DZ/GCdoWF4A7sWPqLLjp9mX5qZK6wihOy/Ee91OL8WMy53VJXoSVYjNbBsG0G2QbJ5cidUPR9+1+s2TOI1w/O9O5JOVs0la/HK545xb4wi4YTvVzDHiDonEX2i7ebe1g49Oaw9ujoYq3oqJCdOINolA3yKLouldC4AeQiKggCRXKU9vmm2L395035W7NKgucqnanetZDWPcUbpqinDA9Jyosv9gqzAy273Nkak3QLNk9JdRKJgoTzNFzDJOj0DfKljFStlDdryerGPrrkApjVNXjDkLDhfbJ560FCzgo81s5Q6I5XCrwaPvL8RFXxtN3DDh84PAy0xfzrB8l61oMbQW6PGLOWMLvOsV+U4eIiO+6MZIAIuDngMPUl4PHujWIkllMHYaap2p4XYmiiHvt6O0WZfWbsgtAZHGgXuAo+V+vqiEWZXD5SeXmyQ6w86is8CIK8AoeQDryq1faG0zq3NppZe2wAAVeJWz+8cIqZV98LZz+eZMRml2pXe6KmTtpr9RaqsAL8wbdsLa6cwSYfqY6pnIxu5+rXkRw0/zF/DOyD3nuMVGB7mCUDQDpgj/M3mlB01lrWifswuPdfD9EGv/4=
X-IPAS-Result: A2E5AADY0ihd/zGZrQplGwEBAQEDAQEBBwMBAQGBVgMBAQELAYQsCoQSlHJ+mXcJAQEBAQEBAQEBBwEvAQGBS4J1AheCYzcGDgEDAQEBBAEBAQEEAQEBAoYmC4I6IoJvAQEBAQIBIxE4CgMMBAIBCBEEAQEBAgImAgICMBUICAEBBA4FCAwFhQWsLIEyijuBDCgBiRWCYIFBPoERgl01PoJhBIFJgyCCWASOdIUhlWBtAwYCghmUAyOYB400l00CBAIEBQIVgWaBe3CDPIJ4jg1yAY9IgSEBAQ
Received: from BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) by BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5; Fri, 12 Jul 2019 14:38:09 -0400
Received: from BRN1WNEX02.vcorp.ad.vrsn.com ([fe80::7c0a:1cc:5def:9dde]) by BRN1WNEX02.vcorp.ad.vrsn.com ([fe80::7c0a:1cc:5def:9dde%4]) with mapi id 15.01.1713.004; Fri, 12 Jul 2019 14:38:09 -0400
From: "Hollenbeck, Scott" <shollenbeck@verisign.com>
To: "ogud@ogud.com" <ogud@ogud.com>
CC: "dnsop@ietf.org" <dnsop@ietf.org>
Thread-Topic: [EXTERNAL] Re: [DNSOP] Security Considerations Suggestion for draft-ietf-dnsop-rfc7816bis
Thread-Index: AdU1vxeK7E7aUixlS2+CnLGAXGUkpwB0V0qAAFPNoQA=
Date: Fri, 12 Jul 2019 18:38:09 +0000
Message-ID: <0e614090ac0b4681b1e0cd3e9f642c60@verisign.com>
References: <e15316f69b6445ba8443702729d33799@verisign.com> <37BB5367-EBE2-48B0-8A90-E47892E214F8@ogud.com>
In-Reply-To: <37BB5367-EBE2-48B0-8A90-E47892E214F8@ogud.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.170.148.18]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/DfZiXPFmCSSTaFzF-zaq2xxzfAs>
Subject: Re: [DNSOP] Security Considerations Suggestion for draft-ietf-dnsop-rfc7816bis
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Jul 2019 18:38:14 -0000
> -----Original Message----- > From: Olafur Gudmundsson <ogud@ogud.com> > Sent: Wednesday, July 10, 2019 6:29 PM > To: Hollenbeck, Scott <shollenbeck@verisign.com> > Cc: dnsop@ietf.org > Subject: [EXTERNAL] Re: [DNSOP] Security Considerations Suggestion for > draft-ietf-dnsop-rfc7816bis > > > Hi Scott, some nits below > > On Jul 8, 2019, at 3:00 PM, Hollenbeck, Scott > <shollenbeck=40verisign.com@dmarc.ietf.org> wrote: > > > > I've recently been reading draft-ietf-dnsop-rfc7816bis and I'd like to > propose some additional text for the Security Considerations section in the > spirit of this sentence from the abstract: > > > > "Future versions of this draft will contain descriptions of different > minimisation implementation choices that have been made since the RFC > 7816 first came out, as well as deployment experience." > > > > QNAME minimization has the consequence of reduction in the amount of > information seen by authoritative name server operators. Active > consideration of that consequence is worth capturing as a factor to be > weighed when making the choice to implement QNAME minimization, > especially if there are other ways to gain privacy protection. Here's suggested > text: > > > > In addition to the performance considerations described in Section 4, > > there's also a security risk associated with the reduction of data > > sent to authoritative name servers: they lose some of their ability to > > assess > > “data sent to authoritative name servers” > The zone authoritative name servers get the same query with and without > Query Minimization (QM) I think you want to say “parental name servers” i.e. > servers for zones above the zone. Thanks for the feedback, Olafur. I'm Ok with "parental" instead of "authoritative". > > security threats [Kaliski-Minimum]. This ability has proven to be useful in, > for example, studies of name collision vulnerabilities [MitM-Attack-Name- > Collisions] [Client-Side-Name-Collision]. It was also instrumental in the > research that led to the discovery of the JASBUG vulnerability [ICS-ALERT-15- > 041-01]. The reduction will also have an impact on the level of detail available > for research studies such as DNS-OARC's annual Day in the Life of the > Internet (DITL) data collection exercise [DITL]. > > > Your arguments about visibility to researchers are true but not exclusive i.e. > the same information can be derived from recursive resolvers, and from the > pool of queries that still arrive without QMr. > As for using the DITL as argument against query-minimization I think there > should be some arguments that DITL collection serves a useful purpose. OK, so let's see what others have to say about the utility of mentioning DITL data collection. > > For this reason, implementers should also consider the potential impact on > threat analysis and research when reducing the level of detail included in > queries to authoritative name servers. Without such consideration, a > collection of individual decisions to reduce query information, over time, may > well have the unintended consequence of "deciding" to no longer support > threat analysis and research that the operational DNS community has > historically relied on. Alternative mechanisms for facilitating threat analysis > and research are beyond the scope of this document. > > again object to the word “authoritative” > I think this statement is not needed, it assumes that such research can only > be done by operators of parental domains. > What QM does is to disrupt operating models and data collection by > intermediaries ==> that was an explicit goal The target of your advise is not > JUST implementers of software but operators of resolvers as most resolver > implementations provide a configuration option to select QM So how about this? In addition to the performance considerations described in Section 4, there's also a security risk associated with the reduction of data sent to parental name servers: they lose some of their ability to assess security threats [Kaliski-Minimum]. This ability has proven to be useful in, for example, studies of name collision vulnerabilities [MitM-Attack-Name-Collisions] [Client-Side-Name-Collision]. It was also instrumental in the research that led to the discovery of the JASBUG vulnerability [ICS-ALERT-15-041-01]. The reduction will also have an impact on the level of detail available for research studies such as DNS-OARC's annual Day in the Life of the Internet (DITL) data collection exercise [DITL]. For this reason, operators should consider the potential impact on threat analysis and research when reducing the level of detail included in queries to parental name servers. Without such consideration, a collection of individual decisions to reduce query information, over time, may well have the unintended consequence of "deciding" to no longer support threat analysis and research that the operational DNS community has historically relied on. Alternative mechanisms for facilitating threat analysis and research are beyond the scope of this document. Scott
- [DNSOP] Security Considerations Suggestion for dr… Hollenbeck, Scott
- Re: [DNSOP] Security Considerations Suggestion fo… Olafur Gudmundsson
- Re: [DNSOP] Security Considerations Suggestion fo… Hollenbeck, Scott